$result of a resource# is good. That means you have a resultset back; this doesn't tell you if you have any records or anything about it thourhg. You now need to fetch it, I'd suggest since you will only have one result that mysql_result be the best option
$sum = mysql_result($result, 0);
$sum will be the number you want.
You should always put the effort into preventing sql injection regardless of the use. Using the mysql library its a simple matter of:
- Check if magic_quotes_gpc directive is enabled. If it is, execute stripslashes on any input data
- Cast the datatypes appropriate; if string (including datetime datatypes), filter through mysql_real_escape_string
If you use prepared statements in PDO or MySQLi, then only the first step needs to occur. The statement is prepared outside of the data provided, so its not possible to inject SQL commands into data.